A recent article in Forbes outlines some major missteps the healthcare industry is making when it comes to data security. In the wake of a record year for data loss with breaches at some the largest healthcare companies, the fact that there are problems with their cybersecurity comes as no surprise. As recently reported, 8 out of 10 largest breaches across all industries occurred in healthcare. As many experts have explained, healthcare records and insurance numbers are now a more lucrative target than credit card numbers. Yet, healthcare companies from insurers to hospitals and clinics seem ill prepared to thwart today’s advanced exploits. Here’s what the author of this article characterizes as healthcare’s five most urgent vulnerabilities:
- Too much focus on HIPAA compliance: According to the article, the highest number of breaches in 2015 occurred in organizations that have HIPAA-compliant databases.
- BYOD isn’t being secured: With more doctors on mobile devices, emailing and texting both colleagues and patients, unsecured devices become a glaring possibility, particularly when they’re personally owned.
- Too little investment in security: According to CNBC, healthcare organizations devote only 14% of their IT budgets to security, where other industries devote 20%. Other surveys have placed healthcare security budgets as low as 3% of total IT spend.
- Prioritizing security across the organization: In too many organizations, including healthcare, employees consider security the responsibility of IT, and aren’t nearly vigilant and careful enough with their email and personal devices.
- Over-simplifying or over-complicating systems: Here the author warns that IT policies and systems will be ignored if they are too difficult to implement and not effective, if they seem too simple. He calls for a balance between security and usability.
The second half of the article is concerned with what healthcare organizations need to do to avoid another year of data breaches like 2015 turned out to be.
- Focus on risk-management: Healthcare organizations are advised to worry less about HIPPA compliance and more about data security by layering in security technology like behavioral analytics that can identify suspicious activity before data is compromised.
- Two-factored authentication: The articles says two-factored is the minimum organizations should require, but it shouldn’t be so difficult that healthcare professionals will be frustrated.
- Encryption for data and devices: Data needs to be encrypted at rest and in transit particularly because of the multitude of mobile device usage by healthcare professionals, who send data back and forth.
- Enterprise mobile device management is important: Healthcare needs enterprise mobile device management (MDM) to secure devices that access organizations’ networks.
- Make sure security is in your culture: While deploying the most advanced technology is of paramount importance, the author reminds us that establishing security policies and training your workforce are also crucial to increasing data security. He advises healthcare organizations to instill a sense of personal responsibility in all employees, particularly those who have access to sensitive data.